ISE 1.2 VM core
What is the maximum of cores for an ISE 1.2? The minimum is 4 but a maximum isn't defined.
Hi,
You could use SNS-3495 platform that has total of 8 cores.
VMware Appliance Specifications for a Production Environment
Platform
SNS-3415
SNS-3495
Processor1
Single socket Intel E5-2609 2.4 Ghz CPU
4 total cores
Dual socket Intel E5-2609 2.4 Ghz CPU
8 total cores
Memory
16 GB
32 GB
Total Disk2 Space
600 GB
600 GB
Ethernet NICs3
4 x Integrated Gigabit NICs
4 x Integrated Gigabit NICs
Source,
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_vmware.html#wp1104790
Thanks
Anas
Similar Messages
-
ISE wireless with HP core switch
Hi all,
We are planning to implement ISE for Wireless users. Our core switch is HP and our WLC is 5500.
I would like to know if we need to change our core switch so that we can use ISE or there is no need to change it.You'd need 2 separate SSIDs as the access method will be different for each, e.g:
Employee - WPA2 and 802.1x
Guest - Webauth
You don't have to have a quarantine, we do but it's not essential.
For your employee WLAN you could have just one VLAN or you could have multiple. We started off with just one for our employee WLAN but now we've got several on each WLC (laptops, medical devices, etc.). I would suggest starting off simple with one.
Your employee WLAN clients won't get an address until after they authenticate so you don't need a VLAN before then. -
Hello,everyone.
I am using virtex6 FPGA and trying to download mcs file to PROM and have failed.
I download .bit file to FPGA and succeed.
When i try to download .mcs file to PROM XCF128X-FTG64C(BPI Flash) and choose Slave SelectMAP Mode
and the process is about 68% it fails.
The message below the IMapct is as belows:
done.
PROGRESS_END - End Operation.
Elapsed time = 0 sec.
// *** BATCH CMD : identifyMPM
// *** BATCH CMD : assignFile -p 1 -file "C:/Users/Administrator/Desktop/TEST/LED/led.bit"
'1': Loading file 'C:/Users/Administrator/Desktop/TEST/LED/led.bit' ...
done.
INFO:iMPACT:2257 - Startup Clock has been changed to 'JtagClk' in the bitstream stored in memory,
but the original bitstream file remains unchanged.
UserID read from the bitstream file = 0xFFFFFFFF.
INFO:iMPACT:501 - '1': Added Device xc6vlx240t successfully.
INFO:iMPACT - Current time: 2014/3/13 8:48:14
// *** BATCH CMD : Program -p 1
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 66000000.
Validating chain...
Boundary-scan chain validated successfully.
INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C > 120.00C]
1: Device Temperature: Current Reading: 230.52 C, Max. Reading: 230.52 C
1: VCCINT Supply: Current Reading: 2.997 V, Max. Reading: 2.997 V
1: VCCAUX Supply: Current Reading: 2.997 V, Max. Reading: 2.997 V
'1': Programming device...
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
INFO:iMPACT:579 - '1': Completed downloading bit file to device.
INFO:iMPACT:188 - '1': Programming completed successfully.
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
INFO:iMPACT - '1': Checking done pin....done.
'1': Programmed successfully.
PROGRESS_END - End Operation.
Elapsed time = 23 sec.
Selected part: XCF128X
// *** BATCH CMD : attachflash -position 1 -bpi "XCF128X"
// *** BATCH CMD : assignfiletoattachedflash -position 1 -file "C:/Users/Administrator/Desktop/TEST/LED/leda.mcs"
INFO:iMPACT - Current time: 2014/3/13 8:49:32
// *** BATCH CMD : Program -p 1 -dataWidth 16 -rs1 NONE -rs0 NONE -bpionly -e -v -loadfpga
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 66000000.
Validating chain...
Boundary-scan chain validated successfully.
INFO:iMPACT - 1: Over-temperature condition detected! [ 230.52C > 120.00C]
1: Device Temperature: Current Reading: 230.52 C, Max. Reading: 230.52 C
1: VCCINT Supply: Current Reading: 2.997 V, Max. Reading: 2.997 V
1: VCCAUX Supply: Current Reading: 2.997 V, Max. Reading: 2.997 V
'1': BPI access core not detected. BPI access core will be downloaded to the device to enable operations.
INFO:iMPACT - Downloading core file D:/Xilinx/14.3/ISE_DS/ISE/virtex6/data/xc6vlx240t_jbpi.cor.
'1': Downloading core...
Match_cycle = NoWait.
Match cycle: NoWait
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0011 1111 0111 1110 0100 1011 1100 0000
INFO:iMPACT:2492 - '1': Completed downloading core to device.
Current cable speed is set to 6.000 Mhz.
Cable speed is default to 3Mhz or lower for BPI operations.
Current cable speed is set to 3.000 Mhz.
Setting Flash Control Pins ...
Setting Configuration Register ...
Populating BPI common flash interface ...
Common Flash Interface Information Query completed successfully.
INFO:iMPACT - Common Flash Interface Information from Device:
INFO:iMPACT - Verification string: 51 52 59
INFO:iMPACT - Manufacturer ID: 49
INFO:iMPACT - Vendor ID: 01
INFO:iMPACT - Device Code: 18
Setting Flash Control Pins ...
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
'1': Erasing device...
'1': Start address = 0x00000000, End address = 0x008CE03B.
done.
'1': Erasure completed successfully.
Setting Flash Control Pins ...
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
INFO:iMPACT - Using Word Programming.
'1': Programming Flash.
done.
Setting Flash Control Pins ...
'1': Flash Programming completed successfully.
Using x16 mode ...
Setting Flash Control Pins ...
Setting Configuration Register ...
'1': Reading device contents...
done.
'1': Verification completed.
Setting Flash Control Pins ...
Current cable speed is resumed to 6.000 Mhz.
'1': Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings.
`Elapsed time = 814 sec.
and i find many people have met the same thing. But they are spartan series FPGA and i try to low the Resistances of Mode pins,M0 M1 and M2, but the problem does not been solved.
I have read the status Registers and find there is an over-temperature state
and in Impact i could not readback the registers. It is strange.
I am anxious about this problem and have not solved it yet
What reasons may it be?
Hope for your answer, thank youHi~I want to know if you solve the configuration problem for virtex-6?
As I encounter the same configuration problem, I want to consult you with some question.
Can I have your email?
gszakacs wrote:
I have measured the VCCINT and find it is 1.0V, not 2.997V;
That is not at all surprising. I always assumed the problem is with reading the XADC (system monitor) block and not with the voltage or temperature.
my Reference board is ML605
That would have been nice to know at the beginning...
It seems that you have selected the correct mode, assuming your jumpers are set as required in the ML605 Hardware User's Guide. See table 1-27, table 1-33 and the note below it about switch S1.
I'm not that familiar with the details of this reference design, but it may be that the slave SelectMap circuitry requires a reset or power cycle to actually configure the FPGA. Have you tried power-cycling to see if the FPGA boots from the flash?
I'd also suggest that you select the V6 in the JTAG chain view, then go to the debug menu of Impact and select Read Device Status (this is from memory, but it's something like that). That will not only show the bits of the configuration status register, but also describe what each bit means. Among other things you can check the state of the FPGA's configuration logic and the Mode pins.
-
Configuration data download to FPGA was not successful.
I have designed a board with the Spartan 6 LX9 TQFP144 Package.
I am able to load a bitstream to the device with the digilent HS-2. However the fpga can not selfconfigure from
the attached SPI Flash.
Here is the console output from iMPACT:
GUI --- Auto connect to cable...
INFO:iMPACT - Digilent Plugin: Plugin Version: 2.4.4
INFO:iMPACT - Digilent Plugin: found 1 device(s).
INFO:iMPACT - Digilent Plugin: opening device: "JtagHs2", SN:210249983579
INFO:iMPACT - Digilent Plugin: User Name: JtagHs2
INFO:iMPACT - Digilent Plugin: Product Name: Digilent JTAG-HS2
INFO:iMPACT - Digilent Plugin: Serial Number: 210249983579
INFO:iMPACT - Digilent Plugin: Product ID: 30900152
INFO:iMPACT - Digilent Plugin: Firmware Version: 0109
INFO:iMPACT - Digilent Plugin: JTAG Port Number: 0
INFO:iMPACT - Digilent Plugin: JTAG Clock Frequency: 10000000 Hz
Attempting to identify devices in the boundary-scan chain configuration...
INFO:iMPACT - Current time: 27.07.2015 16:19:26
PROGRESS_START - Starting Operation.
Identifying chain contents...'0': : Manufacturer's ID = Xilinx xc6slx9, Version : 2
INFO:iMPACT:1777 -
Reading C:/Xilinx/ISE/14.7/ISE_DS/ISE/spartan6/data/xc6slx9.bsd...
INFO:iMPACT:501 - '1': Added Device xc6slx9 successfully.
done.
PROGRESS_END - End Operation.
Elapsed time = 0 sec.
Selected part: N25Q128
Unprotect sectors: FALSE
INFO:iMPACT - Current time: 27.07.2015 16:20:19
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 25000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
INFO:iMPACT - Downloading core file C:/Xilinx/ISE/14.7/ISE_DS/ISE/spartan6/data/xc6slx9_spi.cor.
'1': Downloading core...
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
'1': Reading status register contents...
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0011 1100 1110 1100
INFO:iMPACT:2492 - '1': Completed downloading core to device.
'1': IDCODE is '20ba18' (in hex).
'1': ID Check passed.
'1': IDCODE is '20ba18' (in hex).
'1': ID Check passed.
'1': Erasing Device.
'1': Using Sector Erase.
'1': Programming Flash.
'1': Reading device contents...
done.
'1': Verification completed.
'1':Programming in x4 mode.
'1': Configuration data download to FPGA was not successful. DONE did not go high, please check your configuration setup and mode settings.
INFO:iMPACT - '1': Flash was not programmed successfully.
PROGRESS_END - End Operation.
Elapsed time = 78 sec.
If i read that correctly Data was written to the Flash but the fpga was not able to configure from that data.
Done-pin is connected to 3.3V via a 470 Ohms Resisor.
The Flash is a N25Q128A13ESE40G, Datasheet here: http://www.farnell.com/datasheets/1674445.pdf
I can perform a readback, checksum and an erase.
If i do a read device status this is the console output:
INFO:iMPACT - Current time: 27.07.2015 16:36:27
Maximum TCK operating frequency for this device chain: 25000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': IDCODE is '20ba18' (in hex).
'1': ID Check passed.
'1': IDCODE is '20ba18' (in hex).
'1': ID Check passed.
'1': IDCODE is '20ba18' (in hex).
'1': ID Check passed.
INFO:iMPACT - '1': Reloading FPGA configuration data stored in flash...
INFO:iMPACT:182 - done.
On the Flash side I have pulled s# and Hold up to 3.3V with 100k Resistors.
Can someone help me to find the problem?So does the FPGA try to read the SPI flash when it boots ?
out with scope, probe the clock and the data , see if you can see it streamig out when you boot.
If so, then one other thing I see wrong a few times is data path of the SPI, single bit or 4 bits of data.
you have to make certain the bit file was created in the same width as the fgpa is expecting,
In ISE I think its in Impact where you make the SPI flash file and specify this .
-
I'm having a problem programming my SPI PROM used for Spartan-6 configuration. My FPGA is the xc6slx45. The SPI hardware is just like in Figure 2-12 of ug380. I'm using a Numonyx M25P32 SPI Flash. I'm attempting to program using ISE iMPACT. I've gone through the procedures in help for "Creating SPI PROM files - Single FPGAs" and "Programming an SPI or BPI Flash Memory through an FPGA". I've done "Boundary Scan" and "Create PROM File (PROM File Formatter)". From the iMPACT boundary scan window when I right click the flash part and select program I get the following:
INFO:iMPACT - Current time: 7/15/2015 8:39:59 AM
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 25000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
INFO:iMPACT - Downloading core file C:/Xilinx/14.7/ISE_DS/ISE/spartan6/data/xc6slx45_spi.cor.
'1': Downloading core...
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
'1': Reading status register contents...
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0000 0000 0000 0000
INFO:iMPACT:2492 - '1': Completed downloading core to device.
INFO:iMPACT - '1': Flash was not programmed successfully.
PROGRESS_END - End Operation.
Elapsed time = 2 sec.
If I monitor the SPI connections on the flash I see CSO_B activate but I don't see any activity on MOSI.
No luck with 14.1. Here's the console output:
GUI --- Auto connect to cable...
INFO:iMPACT - Digilent Plugin: Plugin Version: 2.4.4
INFO:iMPACT - Digilent Plugin: no JTAG device was found.
AutoDetecting cable. Please wait.
PROGRESS_START - Starting Operation.
Connecting to cable (Usb Port - USB21).
Checking cable driver.
Driver file xusbdfwu.sys found.
Driver version: src=1027, dest=1027.
Driver windrvr6.sys version = 11.7.0.0. WinDriver v11.7.0 Jungo Connectivity (c) 1997 - 2014 Build Date: Oct 26 2014 x86_64 64bit SYS 09:16:51, version = 1170.
Cable PID = 0008.
Max current requested during enumeration is 300 mA.
Type = 0x0005.
Cable Type = 3, Revision = 0.
Setting cable speed to 6 MHz.
Cable connection established.
Firmware version = 2401.
File version of C:/Xilinx/14.1/ISE_DS/ISE/data/xusb_xp2.hex = 2401.
Firmware hex file version = 2401.
PLD file version = 200Dh.
PLD version = 200Dh.
PROGRESS_END - End Operation.
Elapsed time = 1 sec.
Type = 0x0005.
ESN option: 000015DE6D9E01.
INFO:iMPACT - Current time: 7/15/2015 10:01:49 AM
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 25000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': SPI access core not detected. SPI access core will be downloaded to the device to enable operations.
INFO:iMPACT - Downloading core file C:/Xilinx/14.1/ISE_DS/ISE/spartan6/data/xc6slx45_spi.cor.
'1': Downloading core...
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
'1': Reading status register contents...
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0000 0000 0000 0000
INFO:iMPACT:2492 - '1': Completed downloading core to device.
INFO:iMPACT - '1': Flash was not programmed successfully.
PROGRESS_END - End Operation.
Elapsed time = 4 sec. -
Use of second interface (eth1) on ISE
Hi. I am seting up a two-node deployment of ISE (3315 - version 1.2.0.899). Both appliances will be connected to my two core switches.
I would like to know if I just have to configure one ethernet interface (eth0) on each ISE server and then connect each eth0 to a different swithch. Or, in order to get more redundancy, should I configure both ethernet interfaces on each ISE appliance and then connect eth0 to switch 1 and eth1 to switch2 on both appliances?
Thank youyes, you can do that , as all the ports can be used for replication and synchronization but for management is restricted to Eth0 only.
-
Hi
I have a strange problem after instaling licenses in ISE the following information is in a "show tech"
This info is for 1.3 clean install + license.
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 0 GB
It is the same in the Eval version but in this server there is a 2500 license
The same is observed in both ISE 1.2.1 and 1.3 (running a POC on ISE)
When trying to upgrade ISE 1.2.1 > 1.3 the following output
Getting bundle to local machine...
md5: ad7d87d383661bce671804a9e125e42b
sha256: 2a7ebe5196e3d956ac42ec2e5acdf3815a3e0f80db954b58e2c68843bb3c42fd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Unbundling Application Package...
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
% Error: At least 100GB sized hard disk required for upgrade.
the disk is
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 644.20 GB
Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
Thanks
Erik LoethAttached is the output from VMware, this is made with the OVA
ISE-1.3.0.876-virtual-SNS3495-2.ova
The disk output from show inventory
NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"
PID: ISE-VM-K9 , VID: V01 , SN: XXXXXXXXXXXXXXX
Total RAM Memory: 16467264 kB
CPU Core Count: 4
CPU 0: Model Info: Intel(R) Xeon(R) CPU E7- 4870 @ 2.40GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU E7- 4870 @ 2.40GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU E7- 4870 @ 2.40GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU E7- 4870 @ 2.40GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 644.20 GB
Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
NIC Count: 1
NIC 0: Device Name: eth0
NIC 0: HW Address: XXXXXXXXXXXXXXXXXX
NIC 0: Driver Descr: Intel(R) PRO/1000 Network Driver
(*) Hard Disk Count may be Logical.
Reards
Erik Loeth -
ISE 1.2 SNS-3415 NIC Bonding / Teaming
Hello,
I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless interface
My purpose is to connect it to my twins core switches and have a full high availability deployment.
- I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
ThemisISE 1.2 does not support NIC teaming. Especially on appliances. There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Hello!
my 2 node (16 core, 32 GB Ram, SAN) ISE installation on VMWARE is, complaining about High latency. I have about 250 Test clients connected, and the VMWARE guys can´t seem to find anything wrong. Is there anyway to get a more detailed test WHAT actually is causing this high latency? CPU´s are idling, ram is at 2% and disk I/O is almost not messurable.. but the software is still complaining. (the Dashboard shows latency at 100+ ms) I think this might be the external CA, againt which the client certificates are run. but I don´t know if I can test this theorie!
I have 2 Hardware Appliances coming, but I thought my Test enviroment should be more then enough to handel 250 clients.. I am abit concerned about the going live with 5000 clients in the future.. if it is already complaining with 250 active clients.
and yes, I will be splitting the tasks up between the 2 Physical Boxes (Profiling and such) and the 2 VM Boxes (Management) but at the moment, for 250 clients the 2 VM´s should be enough.I have a couple of my customers complaining about this as well. I believe it is cosmetic and it is due to this bug CSCup97285
The suggested action for this alarm in ISE is:
Check if the system has sufficient resources, Check the actual amount of work on the system for example, no of authentications, profiler activity etc.., Add additional server to distribute the load
I have confirmed with both clients that the appropriate resources were allocated and reserved in VM. In addition, neither client is reporting any issues so this leads me to believe that it is just a cosmetic bug.
Thank you for rating helpful posts! -
ISE v1.1 NAD 6500 failed to decrypt Key......
Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password [2] 18 *
Sep 12 20:42:59.713: RADIUS: User-Name [1] 6 test
Sep 12 20:42:59.713: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address [4] 6 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments. -
Disturbing http connection from ISE to an unknown Internet address
I have an ISE version 1.1.2.145 Patch-5 running in standalone mode. No one has access to the ISE appliance except myself. The ISE has an IP address of 1982.168.1.1
today, I noticed that the ISE is attempting to make an outbound http to an unknown Internet IP address of files.liferay.com. Fortunately, my checkpoint firewall does not allow this connection:
Number: 99427
Date: 17Nov2013
Time: 23:03:11
Interface: eth2
Origin: Corp_Firewall
Type: Log
Action: Drop
Service: http (80)
Source Port: 58025
Source: Corp_Firewall-192.168.1.1 (192.168.1.1)
Destination: files.liferay.com (38.75.15.3)
Protocol: tcp
Rule: 100
Rule UID: {1234abcd-1111-xxxx-vvvv-aaaaaaaaaa}
Rule Name: Corp_Firewall Log Drop rule
Current Rule Number: 100-Corp_Firewall
Product: Security Gateway/Management
Product Family: Network
Policy Info: Policy Name: Corp_Firewall
Created at: Sat Nov 16 01:30:50 2013
Installed from: corp-mgmt-192.168.1.2
The question is why the ISE is doing this? What is the purpose for this http connection, some kind of "back door" by Cisco?Liferay is an open source web portal for hosting cloud applications. This is definitely NOT a Cisco back-door to the ISE.
About Us
Enterprise. Open Source. For Life.
Enterprise.
Liferay, Inc. was founded in 2004 in response to growing demand for Liferay Portal, the market's leading independent portal product that was garnering industry acclaim and adoption across the world. Today, Liferay, Inc. houses a professional services group that provides training, consulting and enterprise support services to our clientele in the Americas, EMEA, and Asia Pacific. It also houses a core development team that steers product development.
Open Source.
Liferay Portal was, in fact, created in 2000 and boasts a rich open source heritage that offers organizations a level of innovation and flexibility unrivaled in the industry. Thanks to a decade of ongoing collaboration with its active and mature open source community, Liferay's product development is the result of direct input from users with representation from all industries and organizational roles. It is for this reason, that organizations turn to Liferay technology for exceptional user experience, UI, and both technological and business flexibility.
For Life.
Liferay, Inc. was founded for a purpose greater than revenue and profit growth. Each quarter we donate to a number of worthy causes decided upon by our own employees. In the past we have made financial contributions toward AIDS relief and the Sudan refugee crisis through well-respected organizations such as Samaritan's Purse and World Vision. This desire to impact the world community is the heart of our company, and ultimately the reason why we exist.
You may want to investigate the applications being used on site.
Hopefully this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
In ISE (ise-3315) low reliability
Hello.
What will happen if ise- 3315 broke one HDD? In ISE low reliability - RAID no. How can a server for security do without RAID?
How can we improve reliability?The best solution is going for the higher appliance or VMware solution for reference kindly see the following details
Cisco Identity Services Engine Hardware Specifications
Cisco Identity Services Engine Appliance 3315 (Small)
Cisco Identity Services Engine Appliance 3355 (Medium)
Cisco Identity Services Engine Appliance 3395 (Large)
Processor
1 x QuadCore Intel Core 2 CPU Q9400 @ 2.66 GHz
1 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz
2 x QuadCore Intel Xeon CPU E5504 @ 2.00 GHz
Memory
4 GB
4 GB
4 GB
Hard disk
2 x 250-GB SATA HDD
2 x 300-GB SAS drives
4 x 300-GB SFF SAS drives
RAID
No
Yes (RAID 0)
Yes (RAID 0+1)
Removable media
CD/DVD-ROM drive
CD/DVD-ROM drive
CD/DVD-ROM drive
Network Connectivity
Ethernet NICs
4 x Integrated Gigabit NICs
4 x Integrated Gigabit NICs
4 x Integrated Gigabit NICs
10BASE-T cable support
Cat 3, 4, or 5 unshielded twisted pair (UTP) up to 328 ft (100 m)
Cat 3, 4, or 5 UTP up to 328 ft (100 m)
Cat 3, 4, or 5 UTP up to 328 ft (100 m)
10/100/1000BASE-TX cable support
Cat 5 UTP up to 328 ft (100 m)
Cat 5 UTP up to 328 ft (100 m)
Cat 5 UTP up to 328 ft (100 m)
Secure Sockets Layer (SSL) accelerator card
None
Cavium CN1620-400-NHB-G
Cavium CN1620-400-NHB-G
Interfaces
Serial ports
1
1
1
USB 2.0 ports
4 (two front, two rear)
4 (one front, one internal, two rear)
4 (one front, one internal, two rear)
Video ports
1
1
1
External SCSI ports
None
None
None
System Unit
Form factor
Rack-mount 1 RU
Rack-mount 1 RU
Rack-mount 1 RU
Weight
28 lb (12.7 kg) fully configured
35 lb (15.87 kg) fully configured
35 lb (15.87 kg) fully configured
Dimensions (H x W x L)
1.69 x 17.32 x 22 in.
(43 x 440 x 55.9 mm)
1.69 x 17.32 x 27.99 in.
(43 x 42.62 x 711 mm)
1.69 x 17.32 x 27.99 in.
(43 x 42.62 x 711 mm)
Power supply
350W
Dual 675W (redundant)
Dual 675W (redundant)
Cooling fans
6; non-hot plug, nonredundant
9; redundant
9; redundant
BTU rating
1024 BTU/hr (at 300W)
2661 BTU/hr (at 120V)
2661 BTU/hr (at 120V)
Compliance
FIPS
Uses FIPS 140-2 Level 1 validated cryptographic modules
Uses FIPS 140-2 Level 1 validated cryptographic modules
Uses FIPS 140-2 Level 1 validated cryptographic modules
Cisco Secure Network Server 3415 (Small) - New
Cisco Secure Network Server 3495 (Large) - New
Processor
1 x Intel Xenon Quad-Core 2.4 GHz E5-2609
2 x Intel Xenon Quad-Core 2.4 GHz E5-2609
Memory
16 GB
32 GB
Hard disk
1 x 600GB 6Gb SAS 10K RPM
2 x 600GB 6Gb SAS 10K RPM
RAID
No
Yes (RAID 0+1)
CD/DVD-ROM drive
No
No
Network Connectivity
Ethernet NICs
4 x Integrated Gigabit NICs
4 x Integrated Gigabit NICs
10/100/1000BASE-TX cable support
Cat 5 UTP up to 328 ft (100 m)
Cat 5 UTP up to 328 ft (100 m)
Secure Sockets Layer (SSL) accelerator card
None
Cavium CN1620-400-NHB-G
Interfaces
Front Panel Connector
1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)
1 x KVM console connector (supplies 2 USB, 1 VGA, and 1 serial connector)
Additional Rear Connectors
Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports
Additional interfaces including a VGA video port, 2 USB 2.0 ports, an RJ45 serial port, 1 Gigabit Ethernet management port, and dual 1 Gigabit Ethernet ports
System Unit
Form factor
Rack-mount 1 RU
Rack-mount 1 RU
Weight
35.6 lbs (16.2 kg)
26.8 lbs (12.1 kg)
35 lb (15.87 kg) fully configured
Dimensions (H x W x L)
1.7 x 16.9 x 28.5 in.
(4.32 x 43 x 72.4 cm)
1.7 x 16.9 x 28.5 in.
(4.32 x 43 x 72.4 cm)
Power supply
650W
Dual 650W (redundant)
Cooling fans
5
5
Temperature: Operating
32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)
32 to 104°F (0 to 40°C) (operating, sea level, no fan fail, no CPU throttling, turbo mode)
Temperature: Nonoperating
-40 to 158°F (-40 to 70°C)
-40 to 158°F (-40 to 70°C)
Compliance
FIPS
Uses FIPS 140-2 Level 1 validated cryptographic modules
Uses FIPS 140-2 Level 1 validated cryptographic modules -
Secure Network Servers (SNS) in ISE version 1.1.4
Hi board,
I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
For example ISE Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
What else is being released with ISE 1.2*?
A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The multiuse Cisco Secure Network Servers offer many improvements over current ISE, ACS, and NAC appliances, and are the platform recommended to deploy newer versions of these applications. During ordering, customers can specify which security application they would like to have installed. See the Product Details section for more information.
On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the following location:
What is true now? What HW appliance do I chose, if I want to order today?
I don't want to order the old appliances (33xx), because they are already EoL announced:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
Thanks!Hi Johanne,
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms.
Supported Hardware and Personas:
Hardware Platform Persona Configuration
Cisco SNS-3415-K9
(small)
Any
•Cisco UCS 1 C220 M3
•Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
•16-GB RAM
•1 x 600-GB disk
•Embedded Software RAID 0
•4 GE network interfaces
Cisco SNS-3495-K92
(large)
Administration
Policy Service
Monitor
•Cisco UCS C220 M3
•Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
•32-GB RAM
•2 x 600-GB disk
•RAID 0+1
•4 GE network interfaces
Cisco ISE-3315-K9 (small)
Any
•1x Xeon 2.66-GHz quad-core processor
•4 GB RAM
•2 x 250 GB SATA3 HDD4
•4x 1 GB NIC5
Cisco ISE-3355-K9 (medium)
Any
•1x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•2 x 300 GB 2.5 in. SATA HDD
•RAID6 (disabled)
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-3395-K9 (large)
Any
•2x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•4 x 300 GB 2.5 in. SAS II HDD
•RAID 1
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-VM-K9 (VMware)
Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
•For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
•Hard Disks (minimum allocated memory):
–Stand-alone—600 GB
–Administration—200 GB
–Policy Service and Monitoring—600 GB
–Monitoring—500 GB
–Policy Service—100 GB
•NIC—1 GB NIC interface required (You can install up to 4 NICs.)
•Supported VMware versions include:
–ESX 4.x
–ESXi 4.x and 5.x
1 Cisco Unified Computing System (UCS)
2 Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform.
3 SATA = Serial Advanced Technology Attachment
4 HDD = hard disk drive
5 NIC = network interface card
6 RAID = Redundant Array of Independent Disks
7 Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.
Please check the following link for fruther information.
https://supportforums.cisco.com/message/3986953#3986953 -
Mac-Address Different format for Authorization on Cisco ISE
Dear All,
I have problem with my Cisco ISE,
This is the design :
ISE ---- Core Switch ---- 3Com Switch --- PC User
My Case:
Authorization is based on Mac-address and Active Directory,
But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
Mac-address Cisco format : XX:XX:XX:XX:XX:XX
Mac-address 3Com format : XXXX-XXXX-XXXX
3Com Switch type is TRICOM 4210 26-PORT.
Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
note:
authorization based on Active Directory is not problem with 3Com Switch.
Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
Thanks,
Arika WahyonoI do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
Tarik Admani
*Please rate helpful posts* -
ISE Restore fails after 80% (Segmentation fault)
Hi All
After a system crash I'm trying to restore. I first did a application reset-config ise and then a restore over an ftp repository.
After 80% it fails with at DB Syncup with a segmentation fault. Tried this with different Backup versions all having the latest patch level.
Any Ideas ?
Thanks
Initiating restore. Please wait...
% restore in progress: Starting Restore...10% completed
% restore in progress: Retrieving backup file from Repository...20% completed
% restore in progress: Decrypting backup data...25% completed
% restore in progress: Extracting backup data...30% completed
Leaving the currently connected AD domain
Please rejoin the AD domain from the administrative GUI
% restore in progress: Stopping ISE processes required for restore...35% completed
% restore in progress: Restoring ISE configuration database...40% completed
% restore in progress: Updating Database metadata...70% completed
% restore in progress: Restoring logs...75% completed
% restore in progress: Performing ISE Database synchup...80% completed
/opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11162 Segmentation fault (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
/opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11177 Segmentation fault (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
/opt/CSCOcpm/bin/isecfgrestore.sh: line 1248: 11187 Segmentation fault (core dumped) curl -q -k --tlsv1 --connect-timeout 10 https://$MYIP/admin/index.jsp > /dev/null 2>&1
......and so on
Cisco Application Deployment Engine OS Release: 2.2
ADE-OS Build Version: 2.2.0.162
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2014 by Cisco Systems, Inc.
All rights reserved.
Version information of installed applications
Cisco Identity Services Engine
Version : 1.3.0.876
Build Date : Tue Oct 28 04:02:29 2014
Install Date : Fri Dec 5 08:31:15 2014
Cisco Identity Services Engine Patch
Version : 1
Install Date : Mon Jan 26 10:21:50 2015After sending the appropriate logs to the TAC I learned that even though the restore looked to have failed, at 80% the actual restore has been completed and what was failing was the node synchronization. With this knowledge I was able to access the admin GUI and manually sync up the other nodes and have been running without issue.
As it turns out this is documented issue, CSCur36983, and will be fixed in release 1.4.
Here is the reply I received from the TAC:
"Based on the logs sent, we're definitely hitting CSCur36983 which will be
fixed in ISE 1.4:
https://tools.cisco.com/bugsearch/bug/CSCur36983/
According to the bug details, when we reach 80% the restoration part itself
has already completed. What is failing is a sync with the rest of the nodes
in the deployment. Therefore, you can reload the ISE at this point and you
should have access to the admin GUI again. From there, you can force a sync up with the other nodes."
Maybe you are looking for
-
Dynamic Structure and Components Issue
Hi, I have a requirement of creating an inbound idoc program and populating dynamic structures. The program for the dynamic structure creation is as follows: ( I have been referencing Heilmans Blog ): The part for the inbound idoc creation works fine
-
I am interested in the sql used by masterdetail oracle forms. Suppose you don't have any crietriea then we can do just masterblock=select * from master detailblock=select * from detail if there are crietrieas then how does it uses the sql in detail q
-
What is Event queue problem?
HI, I have come across JSF document, they mentioned that Event queue Problem ins SUN's JSF implementation. what is that?
-
Sending purchase order by email to vendor
hi what conf steps required for sending purchase order by email to vendor and internal users? rgds sara
-
Scripting bug in the background?
Hi A few weeks ago I read a post by Alan_AEDScripts about Killing windows (palettes) and that seems to be true. I´ve been testing some scripts and I found that Functions are also keept in memory even after the function ends This is a simple window